Welcome to part 12 on “What you need to know about CMMC”. I’m Bob Hanley from Sabre Systems and today we will continue our discussions on the 17 CMMC domains as we help you in your efforts to be CMMC ready. Don’t be left behind. If you remember, we discussed security assessments last week. Today we will discuss situational awareness or SA for short. Remember CMMC is about protecting controlled, unclassified information or CUI, which includes lim-dis and FOUO: limited distribution and for official use only.

So, you may wonder where are we in our journey through these CMMC domains? We’ve been together quite a few times, 11 to be exact, so let’s catch everybody up. So, we’ve already already reviewed awareness training, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, recovery, risk management and security assessments. If you’ve missed any, please go back and take a look at the previous vlogs that have been posted. All these domains connect and relate to each other, they are complementary so it is important as we move on to think in those terms and get that overall understanding on how each of these domains complement each other and work off of each other.

So, as a refresher, if you don’t remember CMMC (Cybersecurity Maturity Model Certification) has five levels with five being the most stringent. Contractors and subcontractors will all need to have the minimum level one, but if you want to prime a contract you will need to be at the level three.

SA has only one level 3 requirement and it also has two level 4 requirements. Today we’re only going to discuss the level 3 requirement. So, situational awareness what does it do? Well, it focuses on networks. These present serious challenges to your IT and security teams. This includes access policies, corporate and regulatory compliance mandates, and change management all of which require real-time visibility. Implementing threat monitoring is critical. Monitoring your network can provide the cyber situational awareness, SA, you need to validate access controls, audit compliance and identify misconfigurations so you can adjust them daily not annually.

So, let’s look at the level 3 requirement. This requirement is about how you receive and respond to cyber threat intelligence from information sharing forums and sources and then communicate this to your stakeholders, pretty simple. You need to ensure you have up-to-date cyber threat intelligence information so you can properly perform risk assessments and vulnerability analyses. This will ensure proper threat monitoring is taking place.

So how do you get this information? Well, to do this, you can join the defense sector Information Sharing and Analysis Center (ISAC) and sign up for alerts from the United States Computer Emergency Readiness team also known as USCERT. You can use information you receive from these sources to update your threat profiles, vulnerability scans and risk assessments. Also, you can use these sources to gather best practices for informing your employees of potential threats and disseminate this information throughout your organization and to the appropriate stakeholders, simple enough. One level 3 requirement for SA. Hopefully you’re doing threat monitoring and maintaining situational awareness of your network. If you are, you’re closing those CMMC compliance gaps and getting prepared for CMMC implementation so good job.

Things you should already be doing: fund your CMMC program, without funding it’s probably not going to move anywhere and you’re not going to become compliant; become familiar with CMMC in general and specifically NIST SP 800-171 and 800-53.

In our next review, we will discuss CMMC practices for system and communications protection, SC. I look forward to seeing you all then, until then this is Bob Hanley from Sabre Systems, hoping you’re becoming CMMC compliant. Thanks, and have a great holiday season.